Harsh Bothra is one of the 350+ Core pentesters worldwide who has contributed to the over 6000 Cobalt pentests. We had a chance to sit down with him to learn more about his pentester journey and what he enjoys about being a part of Cobalt’s pentest community.His experiences are encapsuled and expressed in the talks he does, the blogs he writes, and in his illustration of mind maps. In this spotlight, Harsh shares his inisght into a passion for content creation within the field of offensive security.
Pentester Origin Story: How did you first get involved in pentesting?
HB: Well, there is always an interesting story behind how we start. My curiosity began back in 2012. I was playing games and attempting to modify them.
At the time, I was not familiar with the word “Hack.” The term drove my curiosity towards the act of modifying pieces of software to work in unintended ways. Interest in what I found became the driving force that compelled my research and practice into the art of “Ethical Hacking.” A way to both protect and become familiar with intricacies of various technologies.
From that point-on, I never looked back - or thought about changing careers. This journey has.
What are some of the biggest milestones you feel you’ve reached within this field?
HB: One of the biggest milestones was becoming more involved in the security community itself - through my talks, blogs, tweets and other work. I really love to see people utilizing and appreciating my work. It keeps me motivated to develop more.
I'd say that I'm also proud of the following:
- Authoring multiple books on hacking for beginners.
- Have placed in the top 150 bug hunters with with Bugcrowd (MVP in 2020)
- I've published more than 20 blogs and 5 mind maps, published tools, finished a year long Learn365 learning challenge.
- Completed and have been awarded eWAPTX, eCPPT and CEHv10 certifications.
Over time, I also got a chance to mentor engineering students and aspiring cyber security students to help them with learning and finding the right pathway.
How has Cobalt impacted your security career?
HB: I mention to everyone that Cobalt has changed my life. I got a chance to work with many intelligent and skilled pentesters from different parts of the world. In fact, Cobalt gave me the opportunity to become a Team Lead. Which has empowered me by putting me in the position to lead and learn from group experiences.
Another plus is the opportunity to work with multiple clients directly. Having the ability to have face-to-face dialog helped me build stronger customer-facing communication. On a personal level, Cobalt continued to help me gain more visibility in the security industry by publishing my blogs and inviting me onto their Pentester Diaries podcast, twice. Not to mention, Cobalt helped stay financially strong. I was able to finish paying off my education loan, purchase a new house, and save enough for a grand wedding.
What are important steps a pentester should take to grow in this field?
HB: Continuous learning and practicing are really essential to growing in the security domain. Each and every day something new is coming, and as a pentester, you must be aware of the latest happenings. One of the now classic examples is the “log4j” vulnerability that rocked the security community. You can polish skills by staying aware of other people’s experiences, or reading interesting blogs on specific attack vectors and bypasses.
Application testing is not that straightforward. You are more likely to find vulnerabilities hiding in plain sight, protected by WAFs, or regex patterns. You need to have an understanding of performing certain levels of bypass attacks before concluding that “the application is secure against X attack.”
Where do you go to learn about different security concepts?
HB: Twitter is my go-to resource. I follow a bunch of people who tweet some quality info, and I generally follow those resources. Apart from that, I have subscribed to a few newsletters that contain a summary of what’s happening, to picking out topics that I find interesting for study. Apart from that, Intigriti’s Bug Bytes are amazing - I regularly follow them as a resource.
In fact, to solidify my learning process, I started a continuous learning challenge Learn365. I spent the year of 2021 learning something new daily. I managed to gather learning resources from various medium blogs, tweets, newsletters and articles. These are some of my suggestions:
You’re one of the Cobalt Pentest Leads. What do you believe are the most integral facets of running a smooth pentest from a lead’s perspective, and what should be actively done to increase your team’s ability to work together?
HB: Being a pentest Team Lead comes with a lot of responsibilities. More or less, you are an essential factor for the success of your engagement. As a leader, you must be active in communicating with the client and your team. You are the bridge between the two. There are also housekeeping items. Such as, checking for access and requirement details before the engagement starts. Keeping consistent dialogue with the client on the blockers, and in a timely fashion, is essential to the success of a pentest.
I learned that team engagement, coupled with active communication, will help you see a rise in productivity. The results are always amazing when you actively engage with your team. Timely check-ins on how they are doing, and if they are facing any challenges, puts you in a position to resolve conflict. Being there for them helps you maintain active group cohesion and get the work done.
What does a successful pentest look like in your eyes?
HB: There are multiple factors that define a successful pentest. Such as communication, number of discovered findings, coverage achieved, and team engagement. However - in my opinion, communication plays the most important role. Active communication with the clients, regular team updates, and concise vulnerability reports are marks of a successful pentest.
With your team, a balanced participation of each team member is essential. If your team is participating equally, you need not worry about the coverage.
With your clients, clearly defining findings and showing their potential for impact is integral. In the end, clients should feel value for what they have paid for.
If we look at the pentester’s requirements, having a clear scope and proper access to required documents, credentials, and other housekeeping items enable a pentester to perform the test with ease. If any item is blocking the testing activities, you should timely inform the client looping your assigned TPM and CSM.
Core members often have security consulting roles and bug hunts they are on. How do you actively deal with the potential of burnout? What would you suggest freelancers do to avoid or deal with this?
HB: Burnout occurs frequently in the industry, but that frequency can vary from person-to-person. The first thing to deal with burnout is to accept this, “It is okay to have burnout.” It is a response to overloading yourself. Your mind and body are asking for some peaceful time.
When burnout hits me I simply disconnect myself from all work and do some meditation. I’ll also listen to motivational content. I will go out for a walk around the lake in my city and stare at the calm water. If that is not enough, I will switch over to listening to my favorite music and binge-watching some interesting movies or series.
These are just some personal preferences, but I also ensure one thing - I keep myself away from being completely settled into my comfort zone during this break. Otherwise it’s going to impact my work.
One of the great things about working with Cobalt is choosing your working hours. You choose testing times depending on your preference. This can help control your work bandwidth to prevent potential burnout.
You have produced some great content for the community. What inspired you to start posting?
HB: I started writing content back in April 2020. I posted about a critical issue I found during my initial days in bug bounty. The response was well received. This response from the public inspired me to write more about my findings and experience. The result - my own blog on Medium.
Sharing my knowledge has become my passion. If even one person is getting value out of my content, I will be motivated to write more, create more mindmaps, and present at more conferences.
Plus, publishing content has also helped me improve my overall communication skills. Being able to convey a technical topic in a manner that can reach all audiences is no easy task.
You’ve gathered a steady stream of followers. Whether it is Twitter or Medium articles, you have people coming back for new insights. What do you feel are the most important elements to your security content?
HB: I believe the key to writing content and keeping your audience engaged is to provide them with something unique. In general, I do not blog about something I’ve consistently seen. For example, “How to find Cross-Site Scripting.” I’d instead write about the less covered topic “How to bypass different types of Cross-Site Script Filtering.” It isn’t that one is more-or-less valuable, but promoting topics that aren’t often seen.
Also, I always keep in mind the level of skill and areas of expertise my readers may have. Some have been in the community for a long time, while some might just be starting their journey. So, I will put the things in layman terms to ensure everyone can digest it easily, regardless of status.
Authoring a book is a significant undertaking (you’ve authored two). What was your experience writing them?
HB: Writing a book is not an easy task. I came across multiple challenges while writing these books.
The most important factors were consistency and keeping a schedule to write regularly. It doesn’t matter what interesting topics you have in mind, if you don’t take the time to sit down and start.
It definitely took over my life for a while. I would sit for hours - with a pen and paper in hand, jotting down ideas. Sometimes, I’d get up in the middle of the night with an idea I couldn’t shake. The work never really stops.
Overall, I would say that it was an amazing experience becoming an author. This year I will try to take out some time to update my existing books. Possibly write a book focused on application security.
What creative projects are you looking forward to producing in the future?
HB: This year I am looking forward to working on a project called SecurityExplained.
The main idea is to create content in multiple formats. This would include blogs, tweets, and podcasts aimed at benefiting our developing security community.
What does life outside of security look like for you?
HB: I really enjoy writing poetry and short stories. I like to go out and take small trips with my loved ones. Apart from that, I love reading books about self-help and motivation.
While I am not working, I often spend my time binge-watching my favorite shows and sometimes cooking some new dishes (especially, I experiment with Pizzas every time).
At the time of writing this, a new year is closing in on us. What are some of the long and short term goals you have for 2022?
HB: This year I’ve consolidated a few strong resolutions. My plans are to start with a new series called SecurityExplained, engage more with the community with some new content, participate in some physical security conferences, guide beginners to share their career into cyber security, explore some countries, start back into bug bounties and as usual help the world be more cyber safe & secure.
From a personal perspective, I am planning to give more time to have a better mental health, regular meditation, and spending more time with loved ones.